MCU Vendors Tackle Electronic Safety

Electronic failure is a subject engineers always fret about but seldom discuss.

Unfortunately, it’s a phenomenon that all too easily occurs. Bits conflict, data gets corrupted, and software programs can be influenced in sudden, unpredictable ways. What engineers don't want is for those unpredictable events to wrestle control away from an automotive steering system or an industrial stamping press.

"We can't prevent bits from being flipped," Mathieu Blazy-Winning, functional safety lead for the microcontroller solutions group at Freescale Semiconductor, said in an interview with Design News. "There's always a residual risk. But we can make our technology as robust as possible, so that it can deal with the unexpected."

Indeed, electronics suppliers are increasingly attempting to deal with the unexpected flipped bit. On Tuesday, Freescale rolled out a program called SafeAssure, which is targeted at the automotive and industrial markets. The announcement, made at this week's Freescale Technology Forum in Japan, followed on the heels of a broad safety hardware introduction from Texas Instruments last week. Similarly, Infineon Technologies rolled out safety designs in March, and Renesas Electronics did the same late last year.

Programs and products such as those are growing more important as OEMs ratchet up their dependence on electronic control. "It's key, as we know, because electronics can randomly fail," Blazy-Winning told us. "And given that we know electronic systems can malfunction, we have to make sure that those malfunctions don't put people's lives at risk."

Freescale's rollout targets ISO 26262, an automotive safety standard that will be published late this year, and IEC 61508 Edition 2, an existing standard aimed at industrial automation. The automotive standards are considered especially significant because automakers are increasingly using electronics to control the stability and steering of vehicles. Standards such as ISO 26262 will enable the development of electronic systems that can prevent dangerous failures. In automotive steering, for example, a fail-safe system would prevent the electronics from overriding the driver's actions in an unsafe way. It might also prevent an airbag from going off at the wrong time. The idea, engineers say, is not only to prevent dangerous failures, but also to control them when they do occur.

Freescale's new program makes it easier for designers to achieve compliance with the new standards. Some of the company's hardware -- including microcontrollers, power management ICs, and sensors -- now incorporate self-testing, monitoring, and hardware-based redundancy aimed at promoting safety. Analog products, meanwhile, provide for the checking of timing and voltages. And the company is rolling out software to help with safety system integration.

The technology is aimed at two types of failures: systematic failures, which can only be eliminated by changing a design or manufacturing process, and random hardware failures, which can occur unpredictably over the lifetime of a device.

Freescale isn't alone in its rollout. On September 6, TI unveiled a platform of 34 microcontroller units (MCUs) aimed at safety-critical apps. Infineon recently rolled out a design package aimed at functional safety for embedded products that use the IEC 61508 standard. And in November, Renesas introduced an automotive product family that includes safety MCUs for chassis, dashboard, body, and car audio applications.

"As a technical community, we're probably going to see people latch on to this," Adib Ghubril, research director for the semiconductor group at Gartner Inc., said in an interview with Design News last week. "The technical community has certainly latched on to security MCUs."

Dev Pradhan, safety MCU product line manager for TI, said: "Systems need to be able to handle random, unpredictable failures. Safety products have built-in features that help manage those unpredictable situations."

I expected this subject would come up sooner or later with microprocessors now controlling the functions of automobiles. PLC's have been used for years to control elevators and amusemnet park rides. Generally for critical situations such as this, there are two PLC's and they monitor each other in a 'watchdog' configuration. There are few if any failures in these systems that can be traced back to the controller... I have been in the automation business for 30 years and have never seen a PLC fail or had to replace one. Obviously this same robustness needs to be applied to embedded automotive control systems. And work under many varied modes and enviromental conditions. No easy task.

While it is no easy task right now, with the advances in electronics and chips, it will not take long for it to become easier.

MCU's are becoming the working horse of industry. As their reliability and acceptacle occurs, it won't be long before they are in everything. As long as Engineers keep in mind that they need to implement code to compensate for the lack of inherent robustness that the MCU lacks versus PLCs, MCUs are a very strong contender.

Control system safety has always been a vital part of control systems, and in times past it was mandatory that the emergency-stop system not depend on any programmable logic. The reason is clear, not that the hardware was unreliable, but that the software could be corrupted. That was acknowledged by all involved, and the rules written accordingly.

Now we get to where there are all kinds of software controlled functions in a car, with quite a few of them being important to vehicle safety. This has certainly increased the probability that a failure coud have very bad results. After only a few dozen unexpected acceleration incidents it has become apparent that perhaps some effort should go toward guarding against software failures. Of course, only a fool would release a system whose "emergency stop"function was dependant on part of the software in the control program. Those responsible for assuring the safety of cars on the road should have refused to allow the sale of any vehicle that could not be switched off manually in the event of a control program failure. IT would seem that economic considerations were far more important than user safety. In this case especially, providing an "emergency stop" function would not have added any major cost to the system and it would have shown due dilligence in providing a safety feature.

So now the makers of the automotive systems are at last admitting that things can fail, at least a bit, on occasion, and so they have decided to provide a means to reduce the effect of a failure. This is certainly good, and it should benefit all. But I still would demand that all vehicles have a means to shut the engine off, independent of the control program. And I don't believe that is at all paranoid, not one bit.

Design News readers spoke loudly and clearly after our recent news story about a resurgence in manufacturing -- and manufacturing jobs. Commenters doubted the manufacturers, describing them as H-1B visa promoters, corporate crybabies, and clowns. They argued that US manufacturers aren’t willing to train workers, preferring instead to import cheap labor from abroad.

Using wireless chips and accessories, engineers can now extract data from the unlikeliest of places -- pumps, motors, bridges, conveyors, refineries, cooling towers, parking garages, down-hole drills and just about anything else that can benefit from monitoring.

Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.